This document discusses Nigeria's Data Protection Regulation (NDPR) and issues around cybersecurity and data privacy. It provides an overview of the key aspects of the NDPR, including its objectives, coverage, definitions, principles of data processing, rights of data subjects, and implementation guidelines. It also examines challenges around NDPR implementation and compliance, as well as perspectives on data legislation internationally. Cybersecurity threats are discussed as a major issue, with vulnerabilities in systems and networks posing risks like data and intellectual property theft. The takeaway is on the importance of compliance with the NDPR and addressing cybersecurity challenges to data privacy.
2. Compliance with Nigeria NDPR
and Cybersecurity……
Data Privacy and
Protection Concerns in
Nigeria
What NDPR Says in
specifics
NITDA’s Data
Protection Regulation
(NDPR)—objectives,
coverage, structure and
definitions
NDPR
Implementation
Guide
Data Privacy
Breaches and
Remedies
Perspectives of Data
Protection Legislation:
Nigeria and the
International
jurisdictions
Agenda
4. 1
2
3
4
5
Key Concerns Associated With Data Privacy and
Protection in Nigeria—World Wide Web Foundation, 2018
Data collection
purpose and usage
“Mismatch”
Limited rights of data
subjects to the
collection, usage,
storage or even
disposal of data
Lack of
informed
consent
Limited
transparency
associated with
processing of
personal data and
risk of personal data
breach
Risk of privacy violations in
vulnerable populations,
especially children and persons
of metal and health
incapacitations
5. Individual Rights of
Privacy Protection is
enshrined in Article 12—
United Nations
Declaration of Human
Right
In the EU, May 25,
2018 saw the
issuance of
General Data
Protection
Regulation
(GDPR) of 1948
In 2010 and 2014 both the
ECOWAS and African Union
convention on cybersecurity
development a framework for data
protection among the member
states
In Nigeria, while there is
to be an enacted law on
data protection,
citizens’ privacy is
guaranteed under the
1999 constitution,
specifically, section 37
says, “The Privacy of
citizens, their homes,
correspondence,
telephone
conversations and
telegraphic
communications is here
by guaranteed and
protected”
Perspective of
Data Legislation:
Nigeria and the
Global
Communities
6. Elsewhere
and
particularly
the US…
Federate Trade
Commission Act
(FTCA)—prohibiting
unfair or deceptive
practices affecting or
inhibiting commerce”
Heath Insurance
Portability and
Accountability Act
(HIPAA)
Family Education Rights
and Privacy Act
(FERPA)—this seeks to
protect students
educational records, and
applies to all educational
agencies and institutions
throughout the US
CAN-SPAM Act
2003—Non-Solicited
Pornography and
Marketing Act seeking
to regulate
commercial email
messages.
1
2
3
4
7. Gramm-Leach Billy
Act (GLBA)—in
respect of protection
of customer data and
privacy of customer
information by
financial institutions
Fair credit reporting
Act—here Customer
Reporting agencies are
required fair reporting of
consumer personal
information
Child’s Online Privacy Protection
Act (COPPA)—typically
underaged (13yrs and
below)children—regulates and
protects children’s data across
the Web
California Online Privacy
Protection Act, California
financial information
privacy Act, New York
Information Security
Breach and Notification
Act, etc.
Others
include….
9. Key Objectives of the NDPRA
safeguard
the rights of
natural
persons to
data privacy
Ensuring safe
conduct of
transactions
involving the
exchange of
Personal Data
Prevention of
manipulation
of Personal
Data
Ensuring that
Nigerian
businesses are
competitive in
international trade
through an
effective secure
framework on
data protection
and in line with
best practice
10. Coverage of the NDPR
It applies to all
transactions intended
for the processing of
Personal Data of all
natural persons
irrespective of the
means of such
processing
Applies to natural
persons residing
in Nigeria or
residing outside
Nigeria but who
are citizens of
Nigeria;
No Nigerian or any
natural person by
reason of this
regulation shall be
denied the right to
data privacy entitled
to under any law,
regulation, policy,
contract for the time
being in force in
Nigeria or in any
foreign jurisdiction
11. “Act” means the National Information
Technology Development Agency Act of
2007
“Computer”
“Data Subject”
‘Consent’ of the Data
Subject
“Data” means characters,
symbols and binary on
which operations are
performed…
“Data Administrator “
“Data Controller”
1
2
3
4
5
6
7
8
Key
concepts,
principles
and
definitions
“Database”
13. Key Concepts, Principles and
Definitions
“Personal
Identifiable
Informatio
n
“Processing
”
“Personal
Data
Breach”
“Recipient
”
“Sensitive
Personal Data”
“The Agency” =
NITDA
“Third Party”
“Relevant
Authorities”
14. What the Regulation says in specifics…..
Personal Data shall be
collected legitimately, for
lawful purposed and
with informed
consent
secured against all
foreseeable hazards
and breaches
stored only for the
period within which it
is reasonably needed
accountability for acts and
omissions in respect of
data processing, and in
accordance with the
principles contained in
this Regulation.
duty of care to
Data Subject;
Data collected shall
be adequate,
accurate and
without prejudice
to the dignity of
human person
On Principles
governing
data
processing..
15. What the Regulation says in specifics…..
Informed consent
of the Data
Subject
..where the
performance of a
certain contract is
the subject matter
Where a legal
obligation is at issues
and the Data Controller
is the subject
For the protection of
the vital interests of
the Data Subject or of
another natural person
Where the performance
of a task carried out in
public interest or in
exercise of official public
mandate vested in the
controller;
On lawful
processing …
where at
least one of
these is true
16. What the Regulation says in specifics…..
On procuring
Informed
Consent..
Data Controller is under obligation to
enforce this right, and to ensure
consent of a Data Subject has been
obtained without fraud, coercion
or undue influence; and in this
sense:
Data Subject
reserves the right
to know the
purpose
1. Data Controller must demonstrate
Consent and legal capacity to give same
2. Where consent is be declaration, it must
be in an intelligible and easily accessible
form, using clear and plain language.
3. Data Subject shall be informed of his right
and method to withdraw his consent at
any given time without prejudice to the
lawfulness of processing prior to
withdrawal
4. when assessing whether consent is freely
given consideration shall be giving in
cases of contract performance
5. where data may be transferred to a third
party for any reason whatsoever
17. What the Regulation says in specifics…..
…direct or indirect propagation
of atrocities, hate, child rights
violation, criminal acts and anti-
social conducts; no consent
shall be sought or given
A party to any data processing
contract, other than an individual
Data Subject, shall take
reasonable measures to ensure
the other party does not have a
record of violating the principles
governing rights of privacy under
this regulation
For this purpose, “a party” shall
include directors, shareholders,
servants and privies of the
contracting party; and record
shall include report of public
records and reports in credible
news media—in this sense, no
distinction is made between
legal and natural persons
On due
diligence
and
prohibition
of improper
acts
18. Declare what
constitutes the
Data Subject’s
consent
Description of
collectable
personal
information
purpose of
collection of
Personal Data;
technical methods used to collect
and store personal information,
cookies,
access (if any) of third
parties to Personal
Data and purpose of
a highlight of the principles
governing processing as
indicated in Part-2 of this
regulation
Available remedies in
the event of violation
of the privacy policy
the time frame
for remedy
1
2
3
4
5
6
7
8
On Privacy
Policy .. in
addition to any
relevant
information
contain:
What the Regulation says in specifics…..
provided that no
limitation clause shall avail
any Data Controller who
acts
in breach of the principles
set out in this Regulation
19. What the Regulation says in specifics…..
On Data
Security…measu
res to protect
Subjects Data
will not be
limited to:
setting up
firewalls
Use of well-known
data access control
mechanisms
Use of data encryption
technologies
protecting systems
from hackers
protection of emailing
systems and
continuous capacity
building for staff.
Organisations data
handling policy
20. What the Regulation says in specifics…..
“Data processing by a third party shall be
governed by a written contract between the
third party and the Data Controller.
Accordingly, any person engaging a third
party to process the data obtained from Data
Subjects shall ensure adherence to this
Regulation.”
On third Party Data Processing Contract…
21. What the Regulation says in specifics…..
Objection:
Can the Data
Subject Object
to the
collection,
processing,
..also, be expressly
and manifestly
offered the
mechanism for
objection to any form
of data processing
and free of charge
..when Data
Controller intends
to process the
data for the
purpose of
marketing
22. privacy right of a Data Subject shall be
construed in the light of
advancing and never for the purpose
of restricting the safeguards Data Subject is
entitled to under any data protection
instrument made in furtherance of
fundamental rights and the Nigerian laws.
Data Privacy Advancement
What the Regulation says in specifics…..
23. What the Regulation says in specifics…..
Penalty for
default..
in the case of a Data Controller
dealing with less than 10,000 Data
Subjects, payment of the fine of 1%
of the Annual Gross Revenue of the
preceding year or payment of the
sum of 2 million Naira, whichever is
in the case of a Data Controller
dealing with more than 10,000 Data
Subjects, payment of the fine of 2%
of Annual Gross Revenue of the
preceding year or payment of the
sum of 10 million Naira, whichever
24. What the Regulation says in specifics…..
“Any transfer of Personal Data which is
undergoing processing or is intended for
processing after transfer to a foreign country
or to an international organisation shall take
place subject to the other provisions of this
Regulation and the supervision of the
Honourable Attorney General of the
Federation (HAGF).”
Transfers to other Countries
25. RIGHTS OF DATA SUBJECT
“The Controller shall take appropriate measures to provide
any information relating to processing to the Data Subject in
a concise, transparent, intelligible and easily accessible form,
using clear and plain language, and for any information
relating to a child”. “The information shall be provided in
writing, or by
other means, including, where appropriate, by electronic
means. When requested by the Data Subject, the information
may be provided orally, provided that the identity of the
Data Subject is proven by other means”.
What the Regulation says in specifics…..
26. The implementation is effective within
(3) months of issuance and all
organisations private or public must
make available to the general public
their respective data protection
Policies; these Policies shall be
inconformity with this Regulation
Every Data Controller shall
designate a Data Protection
Officer (DPO) who may
outsource data protection
to a competent person or
firm
Assurance of
continuous capacity
building of DPOs by
the Data controller
NITDA shall by this Regulation register
and license Data Protection
Compliance Organisations (DPCOs)
and subject to Regulations and
Audit of organisations’ data
protection and privacy practices must
be done within six (6) months after
the date of issuance of this
Regulations; this has now been
Where a Data Controller
processes the Personal Data of
more than 1000 in a period of six
months, a soft copy of the
summary of the audit shall be
submitted to the Agency
Annually, Data Controller who
processed the Personal Data of
more than 2000 Data Subjects in
a period of 12 months shall, not
later than the 15th of March of
the following year, submit a
summary of its data protection
audit to the Agency
The mass media and the civil society
shall have the right to uphold
accountability and foster the
objectives of this Regulation.
1
2
3
4
5
6
7
8
Implementa
tion
Mechanism
27. Breach and Administrative Remedy Panel
Invitation of any party to
respond to allegations made
against it within seven days
Issuance of Administrative
orders to protect the subject-
matter of the allegation
pending the outcome of
investigation
Conclusion of investigation and
determination of appropriate redress
within twenty-eight (28) working days;
and
Any breach of this Regulation
shall be construed as a breach
of the provisions of the
National Information
Technology Development
Agency (NITDA) Act of 2007.
Investigation of allegations of
any breach of the provisions of
this Regulation;
Without prejudice to the right of a Data Subject to seek
redress
in a court of competent jurisdiction, the Agency shall
set up an Administrative Redress Panel under the
following terms of reference:
28. Local and International Cooperation
Develop international cooperation
mechanisms to facilitate the effective
enforcement of legislation for the
protection of Personal Data;
Provide international mutual
assistance in the enforcement
of legislation for the protection
of Personal Data,
Engage relevant stakeholders in discussion and activities
aimed at furthering international cooperation in the
enforcement of legislation for the protection of Personal
Data
Promote the exchange and
documentation of Personal Data
protection legislation and
practice, including on
jurisdictional conflicts with third
countries
In the case of local
and international
sharing of
information
associated with Data
subjects.... steps
29. NDPR Implantation Challenges
General awareness
COVID 19
Intervention
Capacities, expertise
and grounding of
breach redress
mechanisms and
organs
Are there
challenges in
NDPR
Implementatio
n
30.
31. A Glance at Cybersecurity Threats ……….
31
WEB
APPLLICATIONS
9.4%
CRIMEWARE
18.8%
CYBER
ESPIONAGE
18%
PRIVILAGE
MISUSE 10.6%
MISCELLANEOUS
14.7%
POINT OF
SALE 28.5%
32. Cybersecurity Challenges
Unprecedented Risk
Intellectual property
theft
Monetary losses
Operational
disruptions
Company devaluation
Customer suits
Bad Media publicity
Brand degradation
Environmental issues
Regulator
intervention
Vulnerabilities
Hyper-
interconnectivity of
information systems
Rapid technological
infrastructure
expansion
Undefinable business
perimeter
Unprepared
corporate workforce
and culture
Dissimilar security
models applied
across the enterprise
Threat Sources
Insiders
Criminals
State Actors
Hacktivists
Individuals
Many organisations are unprepared
32
33. Cybersecurity and Data Integrity Threats…..
“If a secret piece of news is
divulged by a spy before the
time is ripe, he must be put
to death, together with the
man to whom the secret was
told”.
—The Art of War, Sun Tzu
OfData
breaches….
34. Defining a breach….
Data Breach =
Privacy/Data
Integrity
Compromise
Business/Officia
l Secretes
Customer records
Documents of
a privacy
nature
Systems
vulnerability
leading to a
breach
Personally
Identifiable
Information (PII)
36. Cybersecurity and Identity Theft Concerns
Someone steals
your personal
information
Uses it without
your
permission
Can damage
your finances,
reputation, and
credit history
Identity
Theft
Exploits
41. General
defences
against
breeches and
identity theft
Controlling
the Risks of
Cyber
Attacks
Treat your
PII with care
and secrecy
Always Shred
unnecessary and
classified
documents
Monitor your
mails for
uncommon
sources
Always secure and guard
your computer access and
Perimeter zone including
use of valid passcodes
42. Concluding .…on a general note
Cyber Attacks are real
Information Risk
Management
Infrastructure Security
Application Security
Information Protection
Awareness, Training, &
Education
Communications &
Engagement
Event Management
Governance of IT
42
43. Conclusion
Finally, every organization private or public should
take NDPR very serious! Sanctions are on the way!
….Next
technologies
are imminent
5G/BT/
Robotics
etc
Cyber Attacks-–
A real Threat
Use strong
Perimeter protection
and access controls
Declassify
and destroy
doc.
Make report to
responsible
authorities--
NITDA
Incidence
Response is non-
negotiable
46. References
Ezeilo, G.U. (2019). Cybersecurity for finance professionals: Challenges and opportunities.
Being a paper presented at a Workshop for Executives of Ecobank Africa
NITDA, (2019). Nigeria data protection regulation 2019
World Wide Web Foundation (2018). Personal data protection in Nigeria. Retrieved from
www.webfoundation.org
Hasty, R., Nagel, T., & Subjally, M. W (2013). Data protection law in the USA. Advocate for
International Development Lawyers Eradicating Poverty